Automate Linux with cfengine

Using cfengine, you can keep tabs on system files and push out configuration changes without running from host to host.

Last week we installed, configured and tested a cfengine server. Today we'll set up clients and use cfengine to monitor key system files, run unattended and push out changes to the client hosts.

We need one more server configuration file, /var/lib/cfengine2/inputs/cfrun.hosts. This file does not need to be copied to clients, so don't put a copy in /masterfiles/input. This file is simple: your domain name, and a list of clients that the server will push out changes to. Remember to double-check your filepaths, this example is on Debian:

Client Configuration
Now it's time to install cfengine on a client machine and configure it. The easy way is to copy cfagent.conf, cfservd.conf and update.conf from the server into /var/lib/cfengine2/inputs on the client.

Syntax Checker
You can run the syntax checker anytime:

# cfagent -p

If there are no errors it exits silently. Add the -v switch to generate voluminous output.

Now fire up the cfengine daemons on server and client. On Debian:

# /etc/init.d/cfengine2 start

On Red Hat/Fedora/et al:

# /etc/init.d/cfservd start

Distributing Keys
cfengine works on a two-way trust: Keys must be exchanged from the client to the server, and the server to the client. If you installed from RPMs or apt-get, the installer created two encryption keys and stored them in /var/[whatever]/ppkeys. Exchanging keys is as simple as connecting manually from the server:

You may also automate the key exchange by adding this line to the control section of cfservd.conf:

TrustKeysFrom = ( 192.168.1.0/24 )

Or connect manually from the client:

# cfagent -qv

You may need to run cfrun several times to make everything happen, because it always checks update.conf on the server first and downloads any changed or new files. Then it executes cfagent.conf, which may also need a couple of runs, depending on what actions are taken. Running cfrun again looks something like this:

cfengine::
Update of image /var/lib/cfengine2/cfagent.conf from master
/var/lib/cfengine2/masterfiles/inputs/cfagent.conf on windbag.carla.com
cfengine:stinkpad: Object /tmp/testfile had permission 777, changed it to 600

And Now, the Fun Stuff
Ok, that was a bit of work to get going. Now it's all gravy. All you have to do is edit files in the /masterfiles/input directory on the server, and all changes will be copied out to the clients and the server as well. cfagent.conf is where the action is; let's add some rules to it to make our lives easier. These rules monitor file permissions and ownership on files, and change them back if someone messes with them. This is very handy for things like key system files, and for Web files, which won't display if they are not world-readable:

Use the files: for monitoring existing files and directories. The directories keyword is for creating new directories. The r=4 directive means "recurse no more than four levels in the /var/lib/http directory". r=0 means "no recursion", so it pays attention only to the top-level directory, and r=inf means keep going until you hit bottom. Specifying a number is a simple safety precaution.

You can run shell commands, like this one for updating the locate database:

shellcommands:
"/usr/bin/updatedb"

You can create and enforce symlinks, using the syntax linkname -> object to link to:

Automating cfengine
It's fun to push the button and watch things happen. It's also fun to set up cfengine to run unattended, and just take care of business. cfengine will check processes that need to be running, and start them if they're not:

You don't want to hassle with a DNS server? Hosts files were good enough for my granny, and by dang they're good enough for me. Use cfengine to keep all hosts files on your network synchronized. This example completely rewrites /etc/hosts every time it is changed, which suits us nervous types just fine:

That's just a snippet of the power of cfengine. Getting up and running is the hard part; now you can study the Tutorial and Reference manual and learn all kinds of creative ways to automate your network chores.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.